RE: Dropping connection instead of returning 400

[Michael Silk <michaelsilk () gmail com>]

Christopher,

 It seems like such a trivial measure that I don't think breaking the
spec is worth it. You seem to be concerned about the information
returned... well just return less. Don't 'break the spec' for
something so trivial.

 Like the comments on your blog say, bandwidth is a silly reason; and
you can simply configure the server to not display the OS, or give a
fake OS if that makes you feel more comfortable.

 Breaking the spec is a bad idea, IMO.

-- Michael

> -----Original Message-----
> From: christopher () baus net [mailto:christopher () baus net] 
> Sent: Wednesday, 2 March 2005 4:00 PM
> To: webappsec () securityfocus com
> Subject: Dropping connection instead of returning 400 
>
> I have an application proxy "under my pillow" so to speak.  
> I've built it from the ground up over the past couple years 
> with security in mind.  It has been a long and tedious task, 
> but I think my efforts are finally starting to pay off.
>
> One thing that keeps coming back to me is 400 Bad Request 
> handling.  It is now my opinion that security proxies should 
> just drop connection when faced with traffic they refuse to handle.
>
> I put some thoughts on this on my blog here:
>
> http://www.baus.net/400-bad-request
>
> Which cause one client developer to call me a non-compliant 
> wanker here:
>
> http://www.mackmo.com/nick/blog/java/?permalink=Please_send_40
> 0_Bad_Request_and_.txt
>
> I then followed up with the general thought that I'm willing 
> to be non-compliant in the name of security:
>
> http://www.baus.net/breaking-the-spec-in-the-name-of-security
>
> So what do you think?  Is security worth non-compliance with 
> the HTTP spec?
>
> Christopher Baus
> ========
> Implementing an HTTP proxy?
> Consider a fast, secure alternative
> http://www.baus.net/